1
0

fips-check.sh 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644
  1. #!/usr/bin/env bash
  2. # fips-check.sh
  3. # This script checks the current revision of the code against the
  4. # previous release of the FIPS code. While wolfSSL and wolfCrypt
  5. # may be advancing, they must work correctly with the last tested
  6. # copy of our FIPS approved code.
  7. #
  8. # This should check out all the approved flavors. The command line
  9. # option selects the flavor. The keep option keeps the output
  10. # directory.
  11. # These variables may be overridden on the command line.
  12. MAKE="${MAKE:-make}"
  13. GIT="${GIT:-git -c advice.detachedHead=false}"
  14. TEST_DIR="${TEST_DIR:-XXX-fips-test}"
  15. case "$TEST_DIR" in
  16. /*) ;;
  17. *) TEST_DIR="${PWD}/${TEST_DIR}"
  18. ;;
  19. esac
  20. FLAVOR="${FLAVOR:-linux}"
  21. KEEP="${KEEP:-no}"
  22. MAKECHECK=${MAKECHECK:-yes}
  23. DOCONFIGURE=${DOCONFIGURE:-yes}
  24. DOAUTOGEN=${DOAUTOGEN:-yes}
  25. FIPS_REPO="${FIPS_REPO:-git@github.com:wolfssl/fips.git}"
  26. WOLFSSL_REPO="${WOLFSSL_REPO:-git@github.com:wolfssl/wolfssl.git}"
  27. Usage() {
  28. cat <<usageText
  29. Usage: $0 [flavor] [keep]
  30. Flavor is one of:
  31. linuxv2 (FIPSv2, use for Win10)
  32. fipsv2-OE-ready (ready FIPSv2)
  33. solaris
  34. netbsd-selftest
  35. marvell-linux-selftest
  36. linuxv5 (current FIPS 140-3)
  37. fips-ready (ready FIPS 140-3)
  38. fips-dev (dev FIPS 140-3)
  39. wolfrand
  40. wolfentropy
  41. v6.0.0
  42. Keep (default off) retains the temp dir $TEST_DIR for inspection.
  43. Example:
  44. $0 windows keep
  45. usageText
  46. }
  47. while [ "$1" ]; do
  48. if [ "$1" = 'keep' ]; then KEEP='yes';
  49. elif [ "$1" = 'nomakecheck' ]; then MAKECHECK='no';
  50. elif [ "$1" = 'nodoconfigure' ]; then DOCONFIGURE='no';
  51. elif [ "$1" = 'noautogen' ]; then DOCONFIGURE='no'; DOAUTOGEN='no';
  52. else FLAVOR="$1"; fi
  53. shift
  54. done
  55. case "$FLAVOR" in
  56. linuxv2|fipsv2-OE-ready|solaris)
  57. FIPS_OPTION='v2'
  58. FIPS_FILES=(
  59. 'wolfcrypt/src/fips.c:WCv4-stable'
  60. 'wolfcrypt/src/fips_test.c:WCv4-stable'
  61. 'wolfcrypt/src/wolfcrypt_first.c:WCv4-stable'
  62. 'wolfcrypt/src/wolfcrypt_last.c:WCv4-stable'
  63. 'wolfssl/wolfcrypt/fips.h:WCv4-stable'
  64. )
  65. WOLFCRYPT_FILES=(
  66. 'wolfcrypt/src/aes.c:WCv4-stable'
  67. 'wolfcrypt/src/aes_asm.asm:WCv4-stable'
  68. 'wolfcrypt/src/aes_asm.S:WCv4-stable'
  69. 'wolfcrypt/src/cmac.c:WCv4-stable'
  70. 'wolfcrypt/src/des3.c:WCv4-stable'
  71. 'wolfcrypt/src/dh.c:WCv4-stable'
  72. 'wolfcrypt/src/ecc.c:WCv4-stable'
  73. 'wolfcrypt/src/hmac.c:WCv4-stable'
  74. 'wolfcrypt/src/random.c:WCv4-rng-stable'
  75. 'wolfcrypt/src/rsa.c:WCv4-stable'
  76. 'wolfcrypt/src/sha.c:WCv4-stable'
  77. 'wolfcrypt/src/sha256.c:WCv4-stable'
  78. 'wolfcrypt/src/sha3.c:WCv4-stable'
  79. 'wolfcrypt/src/sha512.c:WCv4-stable'
  80. 'wolfssl/wolfcrypt/aes.h:WCv4-stable'
  81. 'wolfssl/wolfcrypt/cmac.h:WCv4-stable'
  82. 'wolfssl/wolfcrypt/des3.h:WCv4-stable'
  83. 'wolfssl/wolfcrypt/dh.h:WCv4-stable'
  84. 'wolfssl/wolfcrypt/ecc.h:WCv4-stable'
  85. 'wolfssl/wolfcrypt/hmac.h:WCv4-stable'
  86. 'wolfssl/wolfcrypt/random.h:WCv4-rng-stable'
  87. 'wolfssl/wolfcrypt/rsa.h:WCv4-stable'
  88. 'wolfssl/wolfcrypt/sha.h:WCv4-stable'
  89. 'wolfssl/wolfcrypt/sha256.h:WCv4-stable'
  90. 'wolfssl/wolfcrypt/sha3.h:WCv4-stable'
  91. 'wolfssl/wolfcrypt/sha512.h:WCv4-stable'
  92. )
  93. if [ "$FLAVOR" = 'solaris' ]; then MAKE='gmake'; fi
  94. ;;
  95. netbsd-selftest)
  96. # non-FIPS, CAVP only but pull in selftest
  97. FIPS_OPTION='cavp-selftest'
  98. FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
  99. WOLFCRYPT_FILES=(
  100. 'wolfcrypt/src/aes.c:v3.14.2'
  101. 'wolfcrypt/src/dh.c:v3.14.2'
  102. 'wolfcrypt/src/dsa.c:v3.14.2'
  103. 'wolfcrypt/src/ecc.c:v3.14.2'
  104. 'wolfcrypt/src/hmac.c:v3.14.2'
  105. 'wolfcrypt/src/random.c:v3.14.2'
  106. 'wolfcrypt/src/rsa.c:v3.14.2'
  107. 'wolfcrypt/src/sha.c:v3.14.2'
  108. 'wolfcrypt/src/sha256.c:v3.14.2'
  109. 'wolfcrypt/src/sha512.c:v3.14.2'
  110. 'wolfssl/wolfcrypt/aes.h:v3.14.2'
  111. 'wolfssl/wolfcrypt/dh.h:v3.14.2'
  112. 'wolfssl/wolfcrypt/dsa.h:v3.14.2'
  113. 'wolfssl/wolfcrypt/ecc.h:v3.14.2'
  114. 'wolfssl/wolfcrypt/hmac.h:v3.14.2'
  115. 'wolfssl/wolfcrypt/random.h:v3.14.2'
  116. 'wolfssl/wolfcrypt/rsa.h:v3.14.2'
  117. 'wolfssl/wolfcrypt/sha.h:v3.14.2'
  118. 'wolfssl/wolfcrypt/sha256.h:v3.14.2'
  119. 'wolfssl/wolfcrypt/sha512.h:v3.14.2'
  120. )
  121. ;;
  122. marvell-linux-selftest)
  123. # non-FIPS, CAVP only but pull in selftest
  124. FIPS_OPTION='cavp-selftest-v2'
  125. FIPS_FILES=('wolfcrypt/src/selftest.c:v3.14.2b')
  126. WOLFCRYPT_FILES=(
  127. 'wolfcrypt/src/aes.c:v4.1.0-stable'
  128. 'wolfcrypt/src/dh.c:v4.1.0-stable'
  129. 'wolfcrypt/src/dsa.c:v4.1.0-stable'
  130. 'wolfcrypt/src/ecc.c:v4.1.0-stable'
  131. 'wolfcrypt/src/hmac.c:v4.1.0-stable'
  132. 'wolfcrypt/src/random.c:v4.1.0-stable'
  133. 'wolfcrypt/src/rsa.c:v4.1.0-stable'
  134. 'wolfcrypt/src/sha.c:v4.1.0-stable'
  135. 'wolfcrypt/src/sha256.c:v4.1.0-stable'
  136. 'wolfcrypt/src/sha512.c:v4.1.0-stable'
  137. 'wolfssl/wolfcrypt/aes.h:v4.1.0-stable'
  138. 'wolfssl/wolfcrypt/dh.h:v4.1.0-stable'
  139. 'wolfssl/wolfcrypt/dsa.h:v4.1.0-stable'
  140. 'wolfssl/wolfcrypt/ecc.h:v4.1.0-stable'
  141. 'wolfssl/wolfcrypt/hmac.h:v4.1.0-stable'
  142. 'wolfssl/wolfcrypt/random.h:v4.1.0-stable'
  143. 'wolfssl/wolfcrypt/rsa.h:v4.1.0-stable'
  144. 'wolfssl/wolfcrypt/sha.h:v4.1.0-stable'
  145. 'wolfssl/wolfcrypt/sha256.h:v4.1.0-stable'
  146. 'wolfssl/wolfcrypt/sha512.h:v4.1.0-stable'
  147. )
  148. ;;
  149. linuxv5-RC12)
  150. FIPS_OPTION='v5-RC12'
  151. FIPS_FILES=(
  152. 'wolfcrypt/src/fips.c:WCv5.2.0.1-RC01'
  153. 'wolfcrypt/src/fips_test.c:WCv5.0-RC12'
  154. 'wolfcrypt/src/wolfcrypt_first.c:WCv5.0-RC12'
  155. 'wolfcrypt/src/wolfcrypt_last.c:WCv5.0-RC12'
  156. 'wolfssl/wolfcrypt/fips.h:WCv5.0-RC12'
  157. )
  158. WOLFCRYPT_FILES=(
  159. 'wolfcrypt/src/aes.c:WCv5.0-RC12'
  160. 'wolfcrypt/src/aes_asm.asm:WCv5.0-RC12'
  161. 'wolfcrypt/src/aes_asm.S:WCv5.0-RC12'
  162. 'wolfcrypt/src/aes_gcm_asm.S:WCv5.0-RC12'
  163. 'wolfcrypt/src/cmac.c:WCv5.0-RC12'
  164. 'wolfcrypt/src/dh.c:WCv5.0-RC12'
  165. 'wolfcrypt/src/ecc.c:WCv5.0-RC12'
  166. 'wolfcrypt/src/hmac.c:WCv5.0-RC12'
  167. 'wolfcrypt/src/kdf.c:WCv5.0-RC12'
  168. 'wolfcrypt/src/random.c:WCv5.0-RC12'
  169. 'wolfcrypt/src/rsa.c:WCv5.0-RC12'
  170. 'wolfcrypt/src/sha.c:WCv5.0-RC12'
  171. 'wolfcrypt/src/sha256.c:WCv5.0-RC12'
  172. 'wolfcrypt/src/sha256_asm.S:WCv5.0-RC12'
  173. 'wolfcrypt/src/sha3.c:WCv5.0-RC12'
  174. 'wolfcrypt/src/sha512.c:WCv5.0-RC12'
  175. 'wolfcrypt/src/sha512_asm.S:WCv5.0-RC12'
  176. 'wolfssl/wolfcrypt/aes.h:WCv5.0-RC12'
  177. 'wolfssl/wolfcrypt/cmac.h:WCv5.0-RC12'
  178. 'wolfssl/wolfcrypt/dh.h:WCv5.0-RC12'
  179. 'wolfssl/wolfcrypt/ecc.h:WCv5.0-RC12'
  180. 'wolfssl/wolfcrypt/fips_test.h:WCv5.0-RC12'
  181. 'wolfssl/wolfcrypt/hmac.h:WCv5.0-RC12'
  182. 'wolfssl/wolfcrypt/kdf.h:WCv5.0-RC12'
  183. 'wolfssl/wolfcrypt/random.h:WCv5.0-RC12'
  184. 'wolfssl/wolfcrypt/rsa.h:WCv5.0-RC12'
  185. 'wolfssl/wolfcrypt/sha.h:WCv5.0-RC12'
  186. 'wolfssl/wolfcrypt/sha256.h:WCv5.0-RC12'
  187. 'wolfssl/wolfcrypt/sha3.h:WCv5.0-RC12'
  188. 'wolfssl/wolfcrypt/sha512.h:WCv5.0-RC12'
  189. )
  190. ;;
  191. linuxv5|linuxv5.2.1)
  192. FIPS_OPTION='v5'
  193. FIPS_FILES=(
  194. 'wolfcrypt/src/fips.c:v5.2.1-stable'
  195. 'wolfcrypt/src/fips_test.c:v5.2.1-stable'
  196. 'wolfcrypt/src/wolfcrypt_first.c:v5.2.1-stable'
  197. 'wolfcrypt/src/wolfcrypt_last.c:v5.2.1-stable'
  198. 'wolfssl/wolfcrypt/fips.h:v5.2.1-stable-OS_Seed-HdrOnly'
  199. )
  200. WOLFCRYPT_FILES=(
  201. 'wolfcrypt/src/aes.c:v5.2.1-stable'
  202. 'wolfcrypt/src/aes_asm.asm:v5.2.1-stable'
  203. 'wolfcrypt/src/aes_asm.S:v5.2.1-stable'
  204. 'wolfcrypt/src/aes_gcm_asm.S:v5.2.1-stable'
  205. 'wolfcrypt/src/cmac.c:v5.2.1-stable'
  206. 'wolfcrypt/src/dh.c:v5.2.1-stable'
  207. 'wolfcrypt/src/ecc.c:v5.2.1-stable'
  208. 'wolfcrypt/src/hmac.c:v5.2.1-stable'
  209. 'wolfcrypt/src/kdf.c:v5.2.1-stable'
  210. 'wolfcrypt/src/random.c:v5.2.1-stable'
  211. 'wolfcrypt/src/rsa.c:v5.2.1-stable'
  212. 'wolfcrypt/src/sha.c:v5.2.1-stable'
  213. 'wolfcrypt/src/sha256.c:v5.2.1-stable'
  214. 'wolfcrypt/src/sha256_asm.S:v5.2.1-stable'
  215. 'wolfcrypt/src/sha3.c:v5.2.1-stable'
  216. 'wolfcrypt/src/sha512.c:v5.2.1-stable'
  217. 'wolfcrypt/src/sha512_asm.S:v5.2.1-stable'
  218. 'wolfssl/wolfcrypt/aes.h:v5.2.1-stable'
  219. 'wolfssl/wolfcrypt/cmac.h:v5.2.1-stable'
  220. 'wolfssl/wolfcrypt/dh.h:v5.2.1-stable'
  221. 'wolfssl/wolfcrypt/ecc.h:v5.2.1-stable'
  222. 'wolfssl/wolfcrypt/fips_test.h:v5.2.1-stable'
  223. 'wolfssl/wolfcrypt/hmac.h:v5.2.1-stable'
  224. 'wolfssl/wolfcrypt/kdf.h:v5.2.1-stable'
  225. 'wolfssl/wolfcrypt/random.h:v5.2.1-stable-OS_Seed-HdrOnly'
  226. 'wolfssl/wolfcrypt/rsa.h:v5.2.1-stable'
  227. 'wolfssl/wolfcrypt/sha.h:v5.2.1-stable'
  228. 'wolfssl/wolfcrypt/sha256.h:v5.2.1-stable'
  229. 'wolfssl/wolfcrypt/sha3.h:v5.2.1-stable'
  230. 'wolfssl/wolfcrypt/sha512.h:v5.2.1-stable'
  231. )
  232. ;;
  233. v6.0.0)
  234. WOLF_REPO_TAG='WCv6.0.0-RC3'
  235. FIPS_REPO_TAG='WCv6.0.0-RC3'
  236. ASM_PICKUPS_TAG='WCv6.0.0-RC3'
  237. FIPS_OPTION='v6'
  238. FIPS_FILES=(
  239. "wolfcrypt/src/fips.c:${FIPS_REPO_TAG}"
  240. "wolfcrypt/src/fips_test.c:${FIPS_REPO_TAG}"
  241. "wolfcrypt/src/wolfcrypt_first.c:${FIPS_REPO_TAG}"
  242. "wolfcrypt/src/wolfcrypt_last.c:${FIPS_REPO_TAG}"
  243. "wolfssl/wolfcrypt/fips.h:${FIPS_REPO_TAG}"
  244. )
  245. WOLFCRYPT_FILES=(
  246. "wolfcrypt/src/aes_asm.asm:${WOLF_REPO_TAG}"
  247. "wolfcrypt/src/aes_asm.S:${WOLF_REPO_TAG}"
  248. "wolfcrypt/src/aes_gcm_asm.S:${WOLF_REPO_TAG}"
  249. "wolfcrypt/src/aes_gcm_x86_asm.S:${WOLF_REPO_TAG}"
  250. "wolfcrypt/src/aes_xts_asm.S:${WOLF_REPO_TAG}"
  251. "wolfcrypt/src/aes.c:${WOLF_REPO_TAG}"
  252. "wolfcrypt/src/port/arm/armv8-32-aes-asm_c.c:${ASM_PICKUPS_TAG}"
  253. "wolfcrypt/src/port/arm/armv8-32-aes-asm.S:${WOLF_REPO_TAG}"
  254. "wolfcrypt/src/port/arm/armv8-32-curve25519_c.c:${ASM_PICKUPS_TAG}"
  255. "wolfcrypt/src/port/arm/armv8-32-curve25519.S:${WOLF_REPO_TAG}"
  256. "wolfcrypt/src/port/arm/armv8-32-sha256-asm_c.c:${ASM_PICKUPS_TAG}"
  257. "wolfcrypt/src/port/arm/armv8-32-sha256-asm.S:${WOLF_REPO_TAG}"
  258. "wolfcrypt/src/port/arm/armv8-32-sha3-asm_c.c:${WOLF_REPO_TAG}"
  259. "wolfcrypt/src/port/arm/armv8-32-sha3-asm.S:${WOLF_REPO_TAG}"
  260. "wolfcrypt/src/port/arm/armv8-32-sha512-asm_c.c:${ASM_PICKUPS_TAG}"
  261. "wolfcrypt/src/port/arm/armv8-32-sha512-asm.S:${WOLF_REPO_TAG}"
  262. "wolfcrypt/src/port/arm/armv8-aes.c:${ASM_PICKUPS_TAG}"
  263. "wolfcrypt/src/port/arm/armv8-curve25519_c.c:${ASM_PICKUPS_TAG}"
  264. "wolfcrypt/src/port/arm/armv8-curve25519.S:${WOLF_REPO_TAG}"
  265. "wolfcrypt/src/port/arm/armv8-sha256.c:${WOLF_REPO_TAG}"
  266. "wolfcrypt/src/port/arm/armv8-sha3-asm_c.c:${ASM_PICKUPS_TAG}"
  267. "wolfcrypt/src/port/arm/armv8-sha3-asm.S:${ASM_PICKUPS_TAG}"
  268. "wolfcrypt/src/port/arm/armv8-sha512-asm_c.c:${ASM_PICKUPS_TAG}"
  269. "wolfcrypt/src/port/arm/armv8-sha512-asm.S:${WOLF_REPO_TAG}"
  270. "wolfcrypt/src/port/arm/armv8-sha512.c:${WOLF_REPO_TAG}"
  271. "wolfcrypt/src/cmac.c:${WOLF_REPO_TAG}"
  272. "wolfcrypt/src/curve25519.c:${WOLF_REPO_TAG}"
  273. "wolfcrypt/src/curve448.c:${WOLF_REPO_TAG}"
  274. "wolfcrypt/src/dh.c:${WOLF_REPO_TAG}"
  275. "wolfcrypt/src/ecc.c:${WOLF_REPO_TAG}"
  276. "wolfcrypt/src/ed25519.c:${WOLF_REPO_TAG}"
  277. "wolfcrypt/src/ed448.c:${WOLF_REPO_TAG}"
  278. "wolfcrypt/src/hmac.c:${WOLF_REPO_TAG}"
  279. "wolfcrypt/src/kdf.c:${WOLF_REPO_TAG}"
  280. "wolfcrypt/src/pwdbased.c:${WOLF_REPO_TAG}"
  281. "wolfcrypt/src/random.c:${WOLF_REPO_TAG}"
  282. "wolfcrypt/src/rsa.c:${WOLF_REPO_TAG}"
  283. "wolfcrypt/src/sha.c:${WOLF_REPO_TAG}"
  284. "wolfcrypt/src/sha256_asm.S:${WOLF_REPO_TAG}"
  285. "wolfcrypt/src/sha256.c:${WOLF_REPO_TAG}"
  286. "wolfcrypt/src/sha3.c:${WOLF_REPO_TAG}"
  287. "wolfcrypt/src/sha3_asm.S:${WOLF_REPO_TAG}"
  288. "wolfcrypt/src/sha512_asm.S:${WOLF_REPO_TAG}"
  289. "wolfcrypt/src/sha512.c:${WOLF_REPO_TAG}"
  290. "wolfcrypt/src/sp_arm32.c:${ASM_PICKUPS_TAG}"
  291. "wolfcrypt/src/sp_arm64.c:${ASM_PICKUPS_TAG}"
  292. "wolfcrypt/src/sp_armthumb.c:${ASM_PICKUPS_TAG}"
  293. "wolfcrypt/src/sp_c32.c:${ASM_PICKUPS_TAG}"
  294. "wolfcrypt/src/sp_c64.c:${ASM_PICKUPS_TAG}"
  295. "wolfcrypt/src/sp_cortexm.c:${ASM_PICKUPS_TAG}"
  296. "wolfcrypt/src/sp_x86_64_asm.asm:${WOLF_REPO_TAG}"
  297. "wolfcrypt/src/sp_x86_64_asm.S:${WOLF_REPO_TAG}"
  298. "wolfcrypt/src/sp_x86_64.c:${ASM_PICKUPS_TAG}"
  299. "wolfcrypt/src/port/arm/thumb2-aes-asm_c.c:${WOLF_REPO_TAG}"
  300. "wolfcrypt/src/port/arm/thumb2-aes-asm.S:${WOLF_REPO_TAG}"
  301. "wolfcrypt/src/port/arm/thumb2-curve25519_c.c:${WOLF_REPO_TAG}"
  302. "wolfcrypt/src/port/arm/thumb2-curve25519.S:${WOLF_REPO_TAG}"
  303. "wolfcrypt/src/port/arm/thumb2-sha256-asm_c.c:${WOLF_REPO_TAG}"
  304. "wolfcrypt/src/port/arm/thumb2-sha256-asm.S:${WOLF_REPO_TAG}"
  305. "wolfcrypt/src/port/arm/thumb2-sha3-asm_c.c:${WOLF_REPO_TAG}"
  306. "wolfcrypt/src/port/arm/thumb2-sha3-asm.S:${WOLF_REPO_TAG}"
  307. "wolfcrypt/src/port/arm/thumb2-sha512-asm_c.c:${WOLF_REPO_TAG}"
  308. "wolfcrypt/src/port/arm/thumb2-sha512-asm.S:${WOLF_REPO_TAG}"
  309. "wolfssl/wolfcrypt/aes.h:${WOLF_REPO_TAG}"
  310. "wolfssl/wolfcrypt/cmac.h:${WOLF_REPO_TAG}"
  311. "wolfssl/wolfcrypt/curve25519.h:${WOLF_REPO_TAG}"
  312. "wolfssl/wolfcrypt/curve448.h:${WOLF_REPO_TAG}"
  313. "wolfssl/wolfcrypt/dh.h:${WOLF_REPO_TAG}"
  314. "wolfssl/wolfcrypt/ecc.h:${WOLF_REPO_TAG}"
  315. "wolfssl/wolfcrypt/ed25519.h:${WOLF_REPO_TAG}"
  316. "wolfssl/wolfcrypt/ed448.h:${WOLF_REPO_TAG}"
  317. "wolfssl/wolfcrypt/fips_test.h:${WOLF_REPO_TAG}"
  318. "wolfssl/wolfcrypt/hmac.h:${WOLF_REPO_TAG}"
  319. "wolfssl/wolfcrypt/kdf.h:${WOLF_REPO_TAG}"
  320. "wolfssl/wolfcrypt/pwdbased.h:${WOLF_REPO_TAG}"
  321. "wolfssl/wolfcrypt/random.h:${WOLF_REPO_TAG}"
  322. "wolfssl/wolfcrypt/rsa.h:${WOLF_REPO_TAG}"
  323. "wolfssl/wolfcrypt/sha.h:${WOLF_REPO_TAG}"
  324. "wolfssl/wolfcrypt/sha256.h:${WOLF_REPO_TAG}"
  325. "wolfssl/wolfcrypt/sha3.h:${WOLF_REPO_TAG}"
  326. "wolfssl/wolfcrypt/sha512.h:${WOLF_REPO_TAG}"
  327. "wolfcrypt/src/port/riscv/riscv-64-sha256.c:${WOLF_REPO_TAG}"
  328. "wolfcrypt/src/port/riscv/riscv-64-sha3.c:${WOLF_REPO_TAG}"
  329. "wolfcrypt/src/port/riscv/riscv-64-sha512.c:${WOLF_REPO_TAG}"
  330. )
  331. ;;
  332. fips-ready|fips-dev)
  333. if [ "$FLAVOR" = 'fips-dev' ]; then
  334. FIPS_OPTION='dev'
  335. else
  336. FIPS_OPTION='ready'
  337. fi
  338. FIPS_FILES=(
  339. 'wolfcrypt/src/fips.c:master'
  340. 'wolfcrypt/src/fips_test.c:master'
  341. 'wolfcrypt/src/wolfcrypt_first.c:master'
  342. 'wolfcrypt/src/wolfcrypt_last.c:master'
  343. 'wolfssl/wolfcrypt/fips.h:master'
  344. )
  345. WOLFCRYPT_FILES=()
  346. ;;
  347. wolfrand)
  348. FIPS_OPTION='rand'
  349. FIPS_FILES=(
  350. 'wolfcrypt/src/fips.c:WRv4-stable'
  351. 'wolfcrypt/src/fips_test.c:WRv4-stable'
  352. 'wolfcrypt/src/wolfcrypt_first.c:WRv4-stable'
  353. 'wolfcrypt/src/wolfcrypt_last.c:WRv4-stable'
  354. 'wolfssl/wolfcrypt/fips.h:WRv4-stable'
  355. )
  356. WOLFCRYPT_FILES=(
  357. 'wolfcrypt/src/hmac.c:WCv4-stable'
  358. 'wolfcrypt/src/random.c:WCv4-rng-stable'
  359. 'wolfcrypt/src/sha256.c:WCv4-stable'
  360. 'wolfssl/wolfcrypt/hmac.h:WCv4-stable'
  361. 'wolfssl/wolfcrypt/random.h:WCv4-rng-stable'
  362. 'wolfssl/wolfcrypt/sha256.h:WCv4-stable'
  363. )
  364. ;;
  365. wolfentropy)
  366. FIPS_OPTION='v6'
  367. FIPS_FILES=(
  368. 'wolfcrypt/src/fips.c:wolfEntropy1'
  369. 'wolfcrypt/src/fips_test.c:wolfEntropy1'
  370. 'wolfcrypt/src/wolfcrypt_first.c:wolfEntropy1'
  371. 'wolfcrypt/src/wolfcrypt_last.c:wolfEntropy1'
  372. 'wolfssl/wolfcrypt/fips.h:wolfEntropy1'
  373. )
  374. WOLFCRYPT_FILES=(
  375. 'wolfcrypt/src/aes.c:wolfEntropy1'
  376. 'wolfcrypt/src/aes_asm.asm:wolfEntropy1'
  377. 'wolfcrypt/src/aes_asm.S:wolfEntropy1'
  378. 'wolfcrypt/src/aes_gcm_asm.S:wolfEntropy1'
  379. 'wolfcrypt/src/ecc.c:wolfEntropy1'
  380. 'wolfcrypt/src/hmac.c:wolfEntropy1'
  381. 'wolfcrypt/src/kdf.c:wolfEntropy1'
  382. 'wolfcrypt/src/random.c:wolfEntropy1'
  383. 'wolfcrypt/src/sha256.c:wolfEntropy1'
  384. 'wolfcrypt/src/sha256_asm.S:wolfEntropy1'
  385. 'wolfcrypt/src/sha3.c:wolfEntropy1'
  386. 'wolfcrypt/src/sha512.c:wolfEntropy1'
  387. 'wolfcrypt/src/sha512_asm.S:wolfEntropy1'
  388. 'wolfssl/wolfcrypt/aes.h:wolfEntropy1'
  389. 'wolfssl/wolfcrypt/ecc.h:wolfEntropy1'
  390. 'wolfssl/wolfcrypt/fips_test.h:wolfEntropy1'
  391. 'wolfssl/wolfcrypt/hmac.h:wolfEntropy1'
  392. 'wolfssl/wolfcrypt/kdf.h:wolfEntropy1'
  393. 'wolfssl/wolfcrypt/random.h:wolfEntropy1'
  394. 'wolfssl/wolfcrypt/sha256.h:wolfEntropy1'
  395. 'wolfssl/wolfcrypt/sha3.h:wolfEntropy1'
  396. 'wolfssl/wolfcrypt/sha512.h:wolfEntropy1'
  397. )
  398. ;;
  399. *)
  400. Usage
  401. exit 1
  402. esac
  403. # checkout_files takes an array of pairs of file paths and git tags to
  404. # checkout. It will check to see if mytag exists and if not will make that
  405. # tag a branch.
  406. function checkout_files() {
  407. local name
  408. local tag
  409. for file_entry in "$@"; do
  410. name=${file_entry%%:*}
  411. tag=${file_entry#*:}
  412. if ! $GIT rev-parse -q --verify "my$tag" >/dev/null
  413. then
  414. $GIT branch --no-track "my$tag" "$tag" || exit $?
  415. fi
  416. $GIT checkout "my$tag" -- "$name" || exit $?
  417. done
  418. }
  419. # copy_fips_files takes an array of pairs of file paths and git tags to
  420. # checkout. It will check to see if mytag exists and if now will make that
  421. # tag a branch. It breaks the filepath apart into file name and path, then
  422. # copies it from the file from the fips directory to the path.
  423. function copy_fips_files() {
  424. local name
  425. local bname
  426. local dname
  427. local tag
  428. for file_entry in "$@"; do
  429. name=${file_entry%%:*}
  430. tag=${file_entry#*:}
  431. bname=$(basename "$name")
  432. dname=$(dirname "$name")
  433. if ! $GIT rev-parse -q --verify "my$tag" >/dev/null; then
  434. $GIT branch --no-track "my$tag" "$tag" || exit $?
  435. fi
  436. $GIT checkout "my$tag" -- "$bname" || exit $?
  437. cp "$bname" "../$dname"
  438. done
  439. }
  440. # Note, it would be cleaner to compute the tag lists using associative arrays,
  441. # but those were introduced in bash-4. It's more important to maintain backward
  442. # compatibility here.
  443. declare -a WOLFCRYPT_TAGS_NEEDED_UNSORTED WOLFCRYPT_TAGS_NEEDED
  444. if [ ${#WOLFCRYPT_FILES[@]} -gt 0 ]; then
  445. for file_entry in "${WOLFCRYPT_FILES[@]}"; do
  446. WOLFCRYPT_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
  447. done
  448. while IFS= read -r tag; do WOLFCRYPT_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${WOLFCRYPT_TAGS_NEEDED_UNSORTED[*]}")
  449. if [ "${#WOLFCRYPT_TAGS_NEEDED[@]}" = "0" ]; then
  450. echo "Error -- missing wolfCrypt tags." 1>&2
  451. exit 1
  452. fi
  453. fi
  454. declare -a FIPS_TAGS_NEEDED_UNSORTED FIPS_TAGS_NEEDED
  455. for file_entry in "${FIPS_FILES[@]}"; do
  456. FIPS_TAGS_NEEDED_UNSORTED+=("${file_entry#*:}")
  457. done
  458. while IFS= read -r tag; do FIPS_TAGS_NEEDED+=("$tag"); done < <(IFS=$'\n'; sort -u <<< "${FIPS_TAGS_NEEDED_UNSORTED[*]}")
  459. if [ "${#FIPS_TAGS_NEEDED[@]}" = "0" ]; then
  460. echo "Error -- missing FIPS tags." 1>&2
  461. exit 1
  462. fi
  463. if [ ${#WOLFCRYPT_TAGS_NEEDED[@]} -gt 0 ]; then
  464. echo "wolfCrypt tag$( [[ ${#WOLFCRYPT_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
  465. # Only use shallow fetch if the repo already has shallow branches, to avoid
  466. # tainting full repos with shallow objects.
  467. if [ -f .git/shallow ]; then
  468. shallow_args=(--depth 1)
  469. else
  470. shallow_args=()
  471. fi
  472. for tag in "${WOLFCRYPT_TAGS_NEEDED[@]}"; do
  473. if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
  474. continue
  475. fi
  476. if ! $GIT fetch "${shallow_args[@]}" "$WOLFSSL_REPO" tag "$tag"; then
  477. echo "Can't fetch wolfCrypt tag: $tag" 1>&2
  478. exit 1
  479. fi
  480. # Make sure the tag is associated:
  481. $GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
  482. done
  483. fi
  484. if ! $GIT clone --shared . "$TEST_DIR"; then
  485. echo "fips-check: Couldn't clone current working directory." 1>&2
  486. exit 1
  487. fi
  488. # If there is a FIPS repo under the parent directory, leverage that:
  489. if [ -d ../fips/.git ]; then
  490. pushd ../fips 1>/dev/null || exit 2
  491. # Only use shallow fetch if the repo already has shallow branches, to avoid
  492. # tainting full repos with shallow objects.
  493. if [ -f .git/shallow ]; then
  494. shallow_args=(--depth 1)
  495. else
  496. shallow_args=()
  497. fi
  498. echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
  499. for tag in "${FIPS_TAGS_NEEDED[@]}"; do
  500. if [ "$tag" = "master" ]; then
  501. # master is handled specially below.
  502. continue
  503. fi
  504. if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
  505. continue
  506. fi
  507. if ! $GIT fetch "${shallow_args[@]}" "$FIPS_REPO" tag "$tag"; then
  508. echo "Can't fetch FIPS tag: $tag" 1>&2
  509. exit 1
  510. fi
  511. # Make sure the tag is associated:
  512. $GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
  513. done
  514. # The current tooling for the FIPS tests is in the master branch and must be
  515. # checked out here.
  516. if ! $GIT clone --shared --branch master . "${TEST_DIR}/fips"; then
  517. echo "fips-check: Couldn't clone current working directory." 1>&2
  518. exit 1
  519. fi
  520. popd 1>/dev/null || exit 2
  521. # Make sure master is up-to-date:
  522. pushd "${TEST_DIR}/fips" 1>/dev/null || exit 2
  523. if ! $GIT pull "$FIPS_REPO" master; then
  524. echo "Can't refresh master FIPS tag" 1>&2
  525. exit 1
  526. fi
  527. popd 1>/dev/null || exit 2
  528. fi
  529. pushd "$TEST_DIR" 1>/dev/null || exit 2
  530. if [ ! -d fips ]; then
  531. # The current tooling for the FIPS tests is in the master branch and must be
  532. # checked out here.
  533. if ! $GIT clone --depth 1 --branch master "$FIPS_REPO" fips; then
  534. echo "fips-check: Couldn't check out FIPS repository."
  535. exit 1
  536. fi
  537. pushd fips 1>/dev/null || exit 2
  538. echo "FIPS tag$( [[ ${#FIPS_TAGS_NEEDED[@]} != "1" ]] && echo -n 's'):"
  539. for tag in "${FIPS_TAGS_NEEDED[@]}"; do
  540. if [ "$tag" = "master" ]; then
  541. # master was just cloned fresh from $FIPS_REPO above.
  542. continue
  543. fi
  544. if $GIT describe --long --exact-match "$tag" 2>/dev/null; then
  545. continue
  546. fi
  547. # The FIPS repo here is an ephemeral clone, so we can safely use shallow
  548. # fetch unconditionally.
  549. if ! $GIT fetch --depth 1 "$FIPS_REPO" tag "$tag"; then
  550. echo "Can't fetch FIPS tag: $tag" 1>&2
  551. exit 1
  552. fi
  553. # Make sure the tag is associated:
  554. $GIT tag "$tag" FETCH_HEAD >/dev/null 2>&1
  555. done
  556. popd 1>/dev/null || exit 2
  557. fi
  558. checkout_files "${WOLFCRYPT_FILES[@]}" || exit 3
  559. pushd fips 1>/dev/null || exit 2
  560. copy_fips_files "${FIPS_FILES[@]}" || exit 3
  561. popd 1>/dev/null || exit 2
  562. # When checking out cert 3389 ready code, NIST will no longer perform
  563. # new certifications on 140-2 modules. If we were to use the latest files from
  564. # master that would require re-cert due to changes in the module boundary.
  565. # Since OE additions can still be processed for cert3389 we will call 140-2
  566. # ready "fipsv2-OE-ready" indicating it is ready to use for an OE addition but
  567. # would not be good for a new certification effort with the latest files.
  568. if [ "$FLAVOR" = 'fipsv2-OE-ready' ] && [ -s wolfcrypt/src/fips.c ]; then
  569. cp wolfcrypt/src/fips.c wolfcrypt/src/fips.c.bak
  570. sed "s/v4.0.0-alpha/fipsv2-OE-ready/" wolfcrypt/src/fips.c.bak >wolfcrypt/src/fips.c
  571. fi
  572. # run the make test
  573. if [ "$DOAUTOGEN" = "yes" ]; then
  574. ./autogen.sh
  575. fi
  576. if [ "$DOCONFIGURE" = "yes" ]; then
  577. case "$FIPS_OPTION" in
  578. cavp-selftest)
  579. ./configure --enable-selftest
  580. ;;
  581. cavp-selftest-v2)
  582. ./configure --enable-selftest=v2
  583. ;;
  584. *)
  585. ./configure --enable-fips=$FIPS_OPTION
  586. ;;
  587. esac
  588. if ! $MAKE; then
  589. echo 'fips-check: Make failed. Debris left for analysis.'
  590. exit 3
  591. fi
  592. if [ -s wolfcrypt/src/fips_test.c ]; then
  593. NEWHASH=$(./wolfcrypt/test/testwolfcrypt | sed -n 's/hash = \(.*\)/\1/p')
  594. if [ -n "$NEWHASH" ]; then
  595. cp wolfcrypt/src/fips_test.c wolfcrypt/src/fips_test.c.bak
  596. sed "s/^\".*\";/\"${NEWHASH}\";/" wolfcrypt/src/fips_test.c.bak >wolfcrypt/src/fips_test.c
  597. make clean
  598. fi
  599. fi
  600. if [ "$MAKECHECK" = "yes" ]; then
  601. if ! $MAKE check; then
  602. echo 'fips-check: Test failed. Debris left for analysis.'
  603. exit 3
  604. fi
  605. fi
  606. fi
  607. # Clean up
  608. popd 1>/dev/null || exit 2
  609. if [ "$KEEP" = 'no' ]; then
  610. rm -rf "$TEST_DIR"
  611. fi